Remote Auditing vs. Onsite Assessments: What Do I Want?

There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

The Dangers of Remote Cloud Audits

A major area of risk that we’ve recognized is remote cloud audits. We hear many organizations indicate that because they are a cloud-based organization, they do not want or need onsite assessments, but we want to help them avoid this attitude. Let’s be clear: it’s completely inaccurate to say that everything is in the cloud. Why? Let’s find out.

Why You Need Onsite Assessments

Why You Need Onsite AssessmentsHuman error is often the weakest link in a security system, and the same is true for cloud environments. How did your data get into the cloud? Think of all the ways that an employee, user, or vendor interacts with your cloud – someone has to put data in the cloud, someone manages it, and someone accesses it. Each of these touchpoints is an opportunity for an insecure process, but remote cloud audits won’t be able to catch those vulnerabilities. An auditor needs to see how employees complete a secure process. They need to visit your office location and examine your heating and cooling systems, your power regulation, your physical security controls. They need to interview your employees who manage vendor compliance to verify that vendor processes are secure.

If you’ve partnered with KirkpatrickPrice on an audit before, you know that we try to eliminate as much intrusive and expensive onsite time as possible; with our Online Audit Manager, clients typically complete 80% of the audit before an onsite visit. Even with that goal in mind, we still believe that onsite assessments are necessary for a quality audit. Onsite assessments are for the review and testing of controls that cannot be tested remotely, and this purpose stands true for audits of cloud environments. Remote cloud audits will not be as thorough or accurate as ones that include onsite assessments.

It’s vital for auditors to examine your people, processes, and technologies, and it’s impossible for all of that to exist in the cloud. Onsite assessments help auditors understand the culture, physical security, and day-to-day processes of the organization being assessed.

What are the Requirements?

Need some evidence to convince you of the need for onsite assessments? From the SOC 2 perspective, the system being audited is composed of people, processes, applications, infrastructure, and data. One could argue that the applications and maybe most of the infrastructure is in the cloud, but the data has to come from somewhere. Even processes need people to complete them. How do you onboard your customers? It usually involves someone at the office doing something with the application that’s in the cloud.

PCI takes a very similar approach, where the scope includes people, processes, and technology that transmit, process, or store cardholder data, or are connected to or could impact the security of the cardholder data environment. Again, how do the people in your physical office location support the applications, infrastructure, and data that are in the cloud?

It’s understandable that a company would want to focus all of its attention on the technology in the cloud, but it’s an incomplete analysis to conclude that because you are a cloud-based organization, no onsite assessments are required. If your auditor isn’t even coming to meet you in person, you’re not getting a quality audit. If they’re not coming onsite to examine your people, processes, and technology, your audit is even more flawed. If you want a thorough audit of your cloud environment, let KirkpatrickPrice help. Contact us today.

More Cloud Security Resources

Who’s Responsible for Cloud Security?

12 Risk You Need to Know to Secure Your Cloud Environment

Cloud Security: The Good, The Bad, and The Ugly